Version in base suite: 1.3.6-4+deb10u3 Version in overlay suite: 1.3.6-4+deb10u4 Base version: proftpd-dfsg_1.3.6-4+deb10u4 Target version: proftpd-dfsg_1.3.6-4+deb10u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.6-4+deb10u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.6-4+deb10u5.dsc changelog | 7 ++ patches/series | 2 patches/upstream_pull_657 | 77 ++++++++++++++++++++++++ patches/upstream_pull_885 | 147 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 233 insertions(+) diff -Nru proftpd-dfsg-1.3.6/debian/changelog proftpd-dfsg-1.3.6/debian/changelog --- proftpd-dfsg-1.3.6/debian/changelog 2020-02-25 21:23:14.000000000 +0000 +++ proftpd-dfsg-1.3.6/debian/changelog 2020-03-10 23:03:08.000000000 +0000 @@ -1,3 +1,10 @@ +proftpd-dfsg (1.3.6-4+deb10u5) buster; urgency=medium + + * Patch for upstream Issue #656 (Closes: #951412) + * Patch for upstream Bug #4385 (Closes: #949622) + + -- Hilmar Preusse Wed, 11 Mar 2020 00:03:08 +0100 + proftpd-dfsg (1.3.6-4+deb10u4) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru proftpd-dfsg-1.3.6/debian/patches/series proftpd-dfsg-1.3.6/debian/patches/series --- proftpd-dfsg-1.3.6/debian/patches/series 2020-02-25 21:23:14.000000000 +0000 +++ proftpd-dfsg-1.3.6/debian/patches/series 2020-03-10 23:03:08.000000000 +0000 @@ -22,3 +22,5 @@ upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 Issue-903-Ensure-that-we-do-not-reuse-already-destro.patch Issue-903-We-want-to-remove-the-data-transfer-comman.patch +upstream_pull_657 +upstream_pull_885 diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 --- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 1970-01-01 00:00:00.000000000 +0000 +++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 2020-03-10 23:03:08.000000000 +0000 @@ -0,0 +1,77 @@ +From 1e056ee9171d44b85bfe2b09a6e78be78567d585 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Thu, 30 Nov 2017 07:19:06 -0800 +Subject: [PATCH] Issue #656: The keyboard-interative code in mod_sftp was + changing the memory pool used for response, but not restoring the previous + pool. + +Newer compilers/distros are far better about catching this, with e.g. ASLR +and such; the previous behavior "worked" only because the memory areas in +question _usually_ were not trampled. But with e.g. Ubuntu 17.10, such +trampling is noticed, caught, and rejected. +--- + contrib/mod_sftp/kbdint.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c +index 2a925c12b..6900f4dfc 100644 +--- a/contrib/mod_sftp/kbdint.c ++++ b/contrib/mod_sftp/kbdint.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - mod_sftp keyboard-interactive driver mgmt +- * Copyright (c) 2008-2016 TJ Saunders ++ * Copyright (c) 2008-2017 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -264,6 +264,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + struct ssh2_packet *pkt; + char mesg_type; + int res; ++ pool *resp_pool = NULL; + + if (p == NULL || + rcvd_count == NULL || +@@ -282,6 +283,9 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + + pr_response_clear(&resp_list); + pr_response_clear(&resp_err_list); ++ ++ /* Cache a reference to the current response pool used. */ ++ resp_pool = pr_response_get_pool(); + pr_response_set_pool(pkt->pool); + + mesg_type = sftp_ssh2_packet_get_mesg_type(pkt); +@@ -290,6 +294,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + "expecting USER_AUTH_INFO_RESP message, received %s (%d)", + sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type); + destroy_pool(pkt->pool); ++ pr_response_set_pool(resp_pool); + errno = EPERM; + return -1; + } +@@ -315,6 +320,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + expected_count != 1 ? "challenges" : "challenge", + (unsigned long) resp_count, resp_count != 1 ? "responses" : "response"); + destroy_pool(pkt->pool); ++ pr_response_set_pool(resp_pool); + errno = EPERM; + return -1; + } +@@ -324,6 +330,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + "received too many responses (%lu > max %lu), rejecting", + (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES); + destroy_pool(pkt->pool); ++ pr_response_set_pool(resp_pool); + errno = EPERM; + return -1; + } +@@ -339,6 +346,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + *rcvd_count = resp_count; + *responses = ((const char **) list->elts); + destroy_pool(pkt->pool); ++ pr_response_set_pool(resp_pool); + + return 0; + } diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 --- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 1970-01-01 00:00:00.000000000 +0000 +++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 2020-03-10 23:03:08.000000000 +0000 @@ -0,0 +1,147 @@ +From 3d17c8419afb10580b942f392f0a5c6de995c4e2 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Tue, 21 Jan 2020 11:09:08 -0800 +Subject: [PATCH] Bug #4385: When handling the `keyboard-interactive` + authentication mechanism, as used for _e.g._ PAM, make sure to properly + handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253. + +--- + contrib/mod_sftp/kbdint.c | 99 ++++++++++++++++++++++++++++++--------- + 1 file changed, 76 insertions(+), 23 deletions(-) + +diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c +index 6900f4dfc..98b0a28af 100644 +--- a/contrib/mod_sftp/kbdint.c ++++ b/contrib/mod_sftp/kbdint.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - mod_sftp keyboard-interactive driver mgmt +- * Copyright (c) 2008-2017 TJ Saunders ++ * Copyright (c) 2008-2020 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -254,6 +254,77 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction, + return res; + } + ++static struct ssh2_packet *read_response_packet(pool *p) { ++ struct ssh2_packet *pkt = NULL; ++ ++ /* Keep looping until we get the desired message, or we time out. */ ++ while (pkt == NULL) { ++ int res; ++ char mesg_type; ++ ++ pr_signals_handle(); ++ ++ pkt = sftp_ssh2_packet_create(kbdint_pool); ++ res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt); ++ if (res < 0) { ++ int xerrno = errno; ++ ++ destroy_pool(pkt->pool); ++ ++ errno = xerrno; ++ return NULL; ++ } ++ ++ pr_response_clear(&resp_list); ++ pr_response_clear(&resp_err_list); ++ ++ /* Per RFC 4253, Section 11, DEBUG, DISCONNECT, IGNORE, and UNIMPLEMENTED ++ * messages can occur at any time, even during KEX. We have to be prepared ++ * for this, and Do The Right Thing(tm). ++ */ ++ ++ mesg_type = sftp_ssh2_packet_get_mesg_type(pkt); ++ ++ switch (mesg_type) { ++ case SFTP_SSH2_MSG_DEBUG: ++ sftp_ssh2_packet_handle_debug(pkt); ++ pkt = NULL; ++ break; ++ ++ case SFTP_SSH2_MSG_DISCONNECT: ++ sftp_ssh2_packet_handle_disconnect(pkt); ++ pkt = NULL; ++ break; ++ ++ case SFTP_SSH2_MSG_IGNORE: ++ sftp_ssh2_packet_handle_ignore(pkt); ++ pkt = NULL; ++ break; ++ ++ case SFTP_SSH2_MSG_UNIMPLEMENTED: ++ sftp_ssh2_packet_handle_unimplemented(pkt); ++ pkt = NULL; ++ break; ++ ++ case SFTP_SSH2_MSG_USER_AUTH_INFO_RESP: ++ pr_trace_msg(trace_channel, 13, ++ "received expected %s message", ++ sftp_ssh2_packet_get_mesg_type_desc(mesg_type)); ++ break; ++ ++ default: ++ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, ++ "expecting USER_AUTH_INFO_RESP message, received %s (%d)", ++ sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type); ++ destroy_pool(pkt->pool); ++ errno = EPERM; ++ return NULL; ++ } ++ } ++ ++ return pkt; ++} ++ + int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + uint32_t *rcvd_count, const char ***responses) { + register unsigned int i; +@@ -261,8 +332,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + cmd_rec *cmd; + array_header *list; + uint32_t buflen, resp_count; +- struct ssh2_packet *pkt; +- char mesg_type; ++ struct ssh2_packet *pkt = NULL; + int res; + pool *resp_pool = NULL; + +@@ -273,32 +343,15 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, + return -1; + } + +- pkt = sftp_ssh2_packet_create(kbdint_pool); +- +- res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt); +- if (res < 0) { +- destroy_pool(pkt->pool); +- return res; ++ pkt = read_response_packet(p); ++ if (pkt == NULL) { ++ return -1; + } + +- pr_response_clear(&resp_list); +- pr_response_clear(&resp_err_list); +- + /* Cache a reference to the current response pool used. */ + resp_pool = pr_response_get_pool(); + pr_response_set_pool(pkt->pool); + +- mesg_type = sftp_ssh2_packet_get_mesg_type(pkt); +- if (mesg_type != SFTP_SSH2_MSG_USER_AUTH_INFO_RESP) { +- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, +- "expecting USER_AUTH_INFO_RESP message, received %s (%d)", +- sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type); +- destroy_pool(pkt->pool); +- pr_response_set_pool(resp_pool); +- errno = EPERM; +- return -1; +- } +- + cmd = pr_cmd_alloc(pkt->pool, 2, pstrdup(pkt->pool, "USER_AUTH_INFO_RESP")); + cmd->arg = "(data)"; +